Sometimes users get host unknown
David Nolan
vitroth+ at cmu.edu
Tue Jun 13 11:50:28 UTC 2006
--On Tuesday, June 13, 2006 11:23:38 +0100 Andrew Watkins
<andrew at dcs.bbk.ac.uk> wrote:
> lkl.ac.uk. 86400 IN NS ns1.lonklab.ac.uk.
> lkl.ac.uk. 86400 IN NS mail1.ccs.bbk.ac.uk.
> ;; Received 101 bytes from 128.16.5.32#53(ns1.cs.ucl.ac.uk) in 150 ms
>
> dig: Couldn't find server 'ns1.lonklab.ac.uk': Name or service not known
>
>
> Any pointers?
I recently encountered a similar situation when one of our users was
complaining about inability to send mail to users in the phila.gov domain.
In the course of debugging the problem I discovered one small failing of
'dig +trace ....', it doesn't display or use the glue records provided
during the DNS traversal. i.e. ns1.cs.ucl.ac.uk provides both the two NS
records dig is displaying, and an A record for ns1.lonklab.ac.uk. You can
verify this yourself via 'dig ns lkl.ac.uk @ns1.cs.ucl.ac.uk'. Since dig
is not using the glue records, in order to do the next hop it relies on
your resolver library to lookup ns1.lonklab.ac.uk. I suspect that your
nameserver is unable to resolve that name.
However I bet if you do the next hop lookup yourself it will work, i.e.
'dig www.lkl.ac.uk @193.61.29.32'. In my case this led to the interesting
discovery that bind was unable to do that query but running dig from a
shell on my nameserver, directly to the same target nameserver, worked
fine. I then started looking at packet traces and discovered that all of
my nameservers which were having problems talking to phila.gov name servers
were sending packets from the same udp source port, 32768, and not getting
any response. Restarting bind caused it to pick a new source port and the
queries started working. Thus I came to the conclusion that phila.gov had
a firewall that was breaking dns queries to their servers. I've
temporarily configured my servers not to send from that port (via
'avoid-v4-udp-ports {32768;};'), but thats just a hack workaround.
Unfortunately the phila.gov whois records contain no contact information,
and I've not received any response to the message I sent to their published
contact address. (If anyone has a contact at phila.gov, please pass this &
my name along...)
I dont' know if your problem will be similar, but hopefully this gives you
some ideas for debugging...
-David Nolan
Network Software Designer
Computing Services
Carnegie Mellon University
More information about the bind-users
mailing list